Hello. Let me first say hello to everyone here, as I am a newcomer.

I don't really know it this is the right section, so please mods, move it if it is misplaced. Thanks!

Well, I have bought a nice very cheap wifi router from Vonets.
http://www.vonets.com/ProductViews.asp?D_ID=71

The device is firmware locked to only wifi router mode, so I would like to upgrade with OpenWRT. The device is based on MT7620N SoC and has an additional 256 Mbit RAM module. Exposed pins on the board are for TX and RX, just like in the Buffalo AirPlay. The problem is that it seems uBoot is set to automatic boot, therefore no availability to interrupt the sequence with any key. The board also has a GPIO button installed, but that also does not make any difference when trying to enter the bootloader menu.

Now my question. I understand that it is impossible to reset the autoboot flag, once the firmware is flashed. The complete bootloader needs to be reflashed with autoboot disabled. I need ideas on how to do that.

Device offers webpage upgrade, where the script on the router pulls a file from FTP somewhere in China. I was thinking to overcome the uBoot limitation with some route voodoo on the main router. The idea is to sniff out the requested file, reroute the destination IP to something local with an FTP server and serve the updated OpenWRT firmware instead. The device board looks almost identical to the Buffalo's AirPlay, so I assume there shouldn't be any limitations.

Any ideas are welcome guys as this is a really tiny WRTNode like hardware.

Best,
Andrej

The picture of the hardware...you see those two circular pins on the right of the chip? That is TX and RX.

http://g01.s.alicdn.com/kf/HTB1zDJKFVXX … XFXXXD.jpg

(Last edited by deeexit on 3 Dec 2014, 15:42)

Ok, since noone seems to be interested in these very cheap routers... I will continue by myself then.

I've sniffed the FTP process and got the request the router makes. It downloades a txt file, contaning some encrypted lines for the model and firmware. Lines look like base64 encoded, but are not decodable easily. It seems that either some strange character encoding was used. Right now, I am comparing a few different versions of this txt file to see if I can find some similarities between lines. If I am successful, I will try to inject a "rouge" fw for the box to update.

I have also executed bitwalk on the firmware, where the contents are decoded, but some false possitives are present too. It says that the first 64 bytes of the firmware are uBoot parameters, followed by LZMA compressed image. The image looks encrypted, but bitwalk cannot recognize the encryption, neither is possible to decompress and mount the image.

If anyone had any similar experiences, please share!

***EDIT: file was not encrypted, I've missed the LZMA header when slicing.

(Last edited by deeexit on 8 Dec 2014, 13:36)

Ok, I got further. After dd-ing the initial firmware file to isolate uBoot and LZMA compressed data, I then successfuly extracted the files with lzma -d image.xz

The decompress produces another file, which is another image containint the Linux kernel and complete file dump. I will be investigating this further and extract the filesystem to get to the "version" encryption/decryption software.

Update soon.

i bought this router by mistake , i wanted a bridge , and i found out quite late , the stupid company that makes it doesnt allow you to change the mode for this router , so you are stuck with only router mode , by the way , all their earlier released hardware is switchable via software , but this is their only model that doesnt , i dont understand why is that ,
to be honest its a nice piece of hardware and the specs is good compared to the price  , but i cant make use of it while its like that , i need it as a portable bridge , i can connect it to my tv receiver or the xbox360 ,
i hope i can help to make things go a little faster , i have good knowledge with hardware but im not that good in programming , but i learn fast , if you can tell me where to start i might help , i do love to see openwrt installed on this router , i have it on my main router and i love it ,
by the way , i noticed that the same company makes a model "VAH300" that is compatible with openwrt and they do distribute some kind of SDK for it , this router have the very same specs of the VAR11n plus ,
i dont know , but i think would help 
http://www.vonets.com/ProductViews.asp?D_ID=73
this is it , and if you find the links dead those for downloading the SDK and documents , just switch the language to chinese and you will find the links working in the chinese page
http://www.vonets.com/download/OpenWrt/vmware_7.1.3.rar
http://www.vonets.com/download/OpenWrt/ … 6.36.1.rar
http://www.vonets.com//download/OpenWrt … onment.pdf
http://www.vonets.com//download/OpenWrt … 0Notes.pdf

(Last edited by mr2000jp on 20 Dec 2014, 06:42)

Hi. Nice to see there are others out there lol. I also bought this router by mistake as it was advertised to be able to change modes.

Anyway, I have made it this far to modify the firmware(telnetd was commented out in rcS) and to try to upload it to the router for update. When sniffing the traffic, the device requests the MINI300 version, which should be ok. Either they changed that or it is a mistake. I will report back if I have any success.

I found some guys on the Russian blog, who might also help.

http://mysku.ru/blog/china-stores/26718.html, under comments.

The difference between var11nplus and vah300 is the ram. Var11n+ only has 32M, while the vah300 has 64M. SDK is nice to have, but I am not there yet.

Hello. I have the same problem as you. Deeexit could you upload the file that router downloads. And what is its link (uri) please? Any news about your work? Could you mark what pin on board is tx and what is rx? Thanks a lot

Кстати, может, здесь кто по-русски общается?

Hi Var, and no ... I can't speak Russian.

RX is the closest to the ethernet socket, next one is TX. You have to take your ground from somewhere else. I took it from the antenna solder joint so it has a bit more strength.

Now the firmware part. As said earlier, I have successfully modified the firmware file so the telnetd is not commented out. It seems that busybox binary does include telnetd, so there shouldn't be any problem. I am still to flash the device with this new file.

URI for firmware upgrade is: ftp: // qinfang : 123456 @ 211.154.131.164
Device pulls the file versionNew.txt, which is somewhat encrypted, but if you wait long enough, they should release an update. The last one was 27.12.2014.

The solution with rerouting all ftp traffic to upper IP, to a local IP, works great. Device connects to a mirror site where it downloads its version file. After that it requests an update file. You can replace this file with any firmware, you only need to rename it on your local ftp server. The procedure works, but I am yet to gain some confidence that it will flash and not brick the router. I will try it in a few days, so hold on.

Thanks deeexit. I read http://mysku.ru/blog/china-stores/26718.html. There i found the firmware url. Wait your results

(Last edited by Var on 30 Dec 2014, 18:17)

Hi there. I have also bought the MINI300 from Vonets. I have successfully connected the rx pin to the right of the MT7620 on 57600bps @ 8N1 and have received the boot log. As already mentioned UBoot does not provide any interruption keys so the bootproces cannot be forced to fall back to command line.

I noticed a second pair of bias exposed left from the MT7620 chip at the height of the 1416-BMSL designation. The datasheet shows that there are JTAG ports available somewhere around that position. Since I am not familiar at all with OpenWRT I do not know if there is a possibility to use this port in our advantage. Maybe it is possible to download the flash contents?

So the Environment Variables of UBoot are protected and set to autoboot = true. I know it is possible to download the software through a programmer by removing the flash chip. But is it also possible to just change the autoboot setting with the programmer? I read somewhere that this UBoot partition is protected by a checksum calculation. Does OpenWRT auto compile a suitable UBoot for this chip? So we can just copy/paste the wifi calibration data? I am sorry, I am not really familiar with OpenWRT yet.

High resolution images

Top:

Bottom:

Boot Log:

U-Boot 1.1.3 (May 26 2014 - 14:52:34)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb8000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
******************************
Software System Reset Occurred
******************************
spi_wait_nsec: 42
spi device id: 7f 9d 46 7f 9d (9d467f9d)
Warning: un-recognized chip ID, please update bootloader!
raspi_read: from:30000 len:1000
*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 4.2.S.1
--------------------------------------------
ASIC 7620_MP (Port5<->None)
DRAM component: 256 Mbits SDR
DRAM bus: 16 bit
Total memory: 32 MBytes
Flash component: SPI Flash
Date:May 26 2014  Time:14:52:34
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 600 MHZ ####
 estimate memory size =32 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.


3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3166448 Bytes =  3 MB
   Load Address: 80000000
   Entry Point:  8000c2f0
raspi_read: from:50040 len:3050f0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8000c2f0) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.36 (root@localhost.localdomain) (gcc version 3.4.2) #8 Thu Sep 4 21:49:43 CST 2014

 The CPU feqenuce set to 600 MHz

 MIPS CPU sleep mode enabled.
 PCIE: bypass PCIe DLL.
 PCIE: Elastic buffer control: Addr:0x68 -> 0xB4
 disable all power about PCIe
 PCIE: PLL power down for MT7620N
CPU revision is: 00019650 (MIPS 24Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0 console=ttyS0
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=000596dc
Readback ErrCtl register=000596dc
Memory: 18892k/32768k available (3699k kernel code, 13876k reserved, 677k data, 8928k init, 0k highmem)
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 399.36 BogoMIPS (lpj=798720)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource Ralink Systick timer
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RT3xxx EHCI/OHCI init.
fuse init (API version 7.15)
msgmni has been set to 36
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered (default)
HDLC line discipline maxframe=4096
N_HDLC line discipline registered.

(Last edited by strtfr on 6 Jan 2015, 11:32)

My device var11n+ has the same board as mini300. There are different versions only 2v0 and 4v0

is there any other difference than pcb antennas? Is the flash chip the same?

I will order some new 8M flash chips and try to put my own firmware.
I was successful with flashing MINI300 version to the router, but it seems that there is a nvram variable designating the VAR11NPlus model, so no change is visible. My next try is to flash a telnet enabled firmware. They also change the console output to ttyS1 instead of ttyS0. If it works, I will have root access to the device over console.

I see that flash memory is the same on both boards

Vonets Mini300
FLASH: PM25LQ032 (4MB)
DRAM: W9825G6EH-6 (32MB)

I have also appended the MINI300 bootlog in my comment above. It seems that flash is the same model. I have ordered a SPI programmer to program the flash. The VHA300 SDK apparently contains an unlocked uboot and seems to be the same platform as the mini300.

Did anyone find the openwrt version for vonets with 32mb memory? Deeexit did you try to upload vonets openwrt from their site <link>http://www.vonets.com/ProductViews.asp?D_ID=73#</link> into the router? How did you upload the firmware? Please write the instruction

(Last edited by Var on 6 Jan 2015, 11:49)

Vonets made all their products on the same board.
Did you find vonets var11n+ flash version. I thought it has 8mb flash chip and 32mb memory

(Last edited by Var on 6 Jan 2015, 11:54)

i have uploaded the mini300 version with the above mentioned procedure. You need to make an iptables rule for rerouting to internal ip.

iptables -t nat -A PREROUTING -p tcp -d 211.154.131.164 -j DNAT --to-destionation <localIP>

These are the lines in versionNew.txt, that seem to indicate var11nplus.

1/:92aH]LmmPN2)+c6'aHYLjpnc+8alpnplmplfpmkc1=;anndmgdmkdmhdnndnnqXXdXXdXXdXXdXXdXXc:/'02/=:a'''p(/09*+p;/1p;0oH]LmmPN2)+?lpnplmplfpmk
1/:92aH]LmmPN2)+c6'aHYLkpnc+8alpnplmplfpmkc1=;anndmgdmkdmhdnndnnqXXdXXdXXdXXdXXdXXc:/'02/=:a'''p(/09*+p;/1p;0oH]LmmPN2)+?lpnplmplfpmk
1/:92aH]LmmPN2)+c6'aHYLlpnc+8alpnplmplfpmkc1=;anndmgdmkdmhdnndnnqXXdXXdXXdXXdXXdXXc:/'02/=:a'''p(/09*+p;/1p;0oH]LmmPN2)+?lpnplmplfpmk
1/:92aH]LmmPN2)+c6'aHYLmpnc+8alpnplmplfpmkc1=;anndmgdmkdmhdnndnnqXXdXXdXXdXXdXXdXXc:/'02/=:a'''p(/09*+p;/1p;0oH]LmmPN2)+?lpnplmplfpmk

Thanks

Ok, got it. I can now persuade the router to download a new file.

This is an old line for V2.0 board:
1/:92aH]LmmPN2)+c6'aHYLlpnc+8alpnplmplfpmkc1=;anndmgdmkdmhdnndnnqXXdXXdXXdXXdXXdXXc:/'02/=:a'''p(/09*+p;/1p;0oH]LmmPN2)+?lpnplmplfpmk

If we change some letters, we can persuade it that a new version is available.

so, we change 8alpnplmplfpmkc1 to 8akpnpkmpkfpmmc1 (l > k) and (k > m),  lpnplmplfpmk to kpnpkmpkfpmm (l > k) and (k > m). This should translate to 3.0.31.38. and router should request the update file from the ftp.

I will try the upgrade later today.

Success!! I now have root access over console and telnet enabled. Telnet uses the same user/pass as the webconfig. Below is the full bootlog. Console is changed to ttyS0 so we stay connected.

I'm sorry. Where did you connect vonets router? To PC or to another router? I can not connect vonets router to PC (Ubuntu 14.04). And another one question. I could not open uImage and other files to edit. Says that archive is unknown. How did you open this?

(Last edited by Var on 9 Jan 2015, 15:02)

I've connected my router directly to my PC over ethernet cable. The PC was connected to the internet over WiFi connection and iptables were established to reroute traffic from wired to wireless. I have also set up an FTP server on my local machine and issued the iptables command to reroute all traffic with the destination 211.154.131.164 to a local IP.

regarding the firmware. You need to download binwalk to analyze the firmware. First 64 bytes are bootloader parameters, followed by the LZMA compressed image.

In short, here are the steps:

1) binwalk the firmware to discover offsets
2) use DD to slice the firmware and cut out the uboot image (dd if=firmware of=uBoot bs=1 count=64 and dd if=firmwre of=image.xz bs=1 skip=64)
3) decompress the lzma image with lzma -d image.xz
4) execute binwalk again on decompressed image to find kernel and ramdisk image. At this point you can already change the file contents using some hex editor like tweak.
5) use DD again to slice out the ramdisk if you want the complete filesystem structure.
6) once you get the CPIO compressed image out, simply decompress with cpio < cpio_image.
7) change anything you need
8) compress the image back (I haven't tried this as I have changed the image with a hex editor before)
9) use DD to compose the image again and reunite it with uBoot parameters
10) use the above procedure to flash the modified firmware
11) explore further.

Hope this helps a bit. If you have any questions, just ask, but please try to do it yourself first as it will result in higher knowledge gained.

Good luck!

Thanks a lot again